Docker无根无法拉映像 [英] Docker rootless unable to pull images

问题描述

按照 https://docs.docker，我正在服务器上无源运行docker.com/engine/security/rootless/.

借助此功能，我可以拉出并运行hello-world.但是，每当我要提取更复杂的图像时，都会遇到以下错误:

With this I am able to pull and run hello-world. But whenever I want to pull a more complex image, I run into the following error:

$ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
83ee3a23efb7: Extracting [==================================================>]  28.57MB/28.57MB
db98fc6f11f0: Download complete 
f611acd52c6c: Download complete 
failed to register layer: ApplyLayer exit status 1 stdout:  stderr: lchown /etc/gshadow: operation not permitted

docker info 的输出:

$ docker info
Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 20.10.2
 Storage Driver: vfs
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 4.15.0-135-generic
 Operating System: Ubuntu 18.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 125.9GiB
 Name: ourserver
 ID: ZZ4G:IF5W:HJA4:GBZ4:BOHY:YNLX:EPTA:56OH:REXN:QJ5A:2HL3:KWWX
 Docker Root Dir: /home/honerkam/.local/share/docker
 Debug Mode: false
 Username: dhonerkamp
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

分配了Subid并安装了newuidmap，newgidmap:

Subids are assigned and newuidmap, newgidmap are installed:

$ grep ^$(whoami): /etc/subuid
honerkam:231072:165537
$ grep ^$(whoami): /etc/subgid
honerkam:231072:165537
$ which newuidmap
/usr/bin/newuidmap
$ which newgidmap
/usr/bin/newgidmap

我可以想到的这个设置中唯一不寻常的部分是，我可以访问已安装的文件系统上的驱动器，而引导根无法访问它.我自己也具有root用户访问权限.

The only unusual part in this setup I can think of is that I have access to my drive on an mounted filesystem, boot root does not have access to it. I also have root access myself.

任何引起此问题的线索将不胜感激！

Any clues on the cause of this issue would be highly appreciated!

推荐答案

如果有人遇到此问题，请复制我在github上收到的答案:

Copying an answer I received on github if anyone else runs into this issue:

NFS不支持CAP_DAC_OVERRIDE，因此您需要在〜/.config/docker/daemon.json中指定自定义{"data-root":"//somewhere-out-of-nfs"}，以存储图像放在非NFS位置.

NFS doesn't support CAP_DAC_OVERRIDE, so you need to specify custom {"data-root":"/somewhere-out-of-nfs"} in ~/.config/docker/daemon.json to store the images in a non-NFS location.

请参见 https://www.redhat.com/sysadmin/rootless-podman-nfs 以获得技术详细信息.

See https://www.redhat.com/sysadmin/rootless-podman-nfs for technical details.

这篇关于Docker无根无法拉映像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！